Grafana Variables and SQL injection

Hello,
I have a demo server running Grafana.
This server does not have any super sensitive data, but I would still rather not have it trivially hijacked.
My main fear is: Grafana datasources contain passwords to my 3rd party database (InfluxDB).
Theoretically, someone could SQL inject something into influx (or grafana), and take control of my cluster.

My dashboard is fairly simple. It runs a single query, but contains a variable:

SELECT time,value  FROM "battery" WHERE deviceid='$selected_deviceid' and $timeFilter 

I have noticed that you can set selected_deviceid from the dashboard URL, and I find it a bit unsetteling.
I would like to understand the dangers here.

I would like to expose this with a user that has only viewer privileges.

Here are my concerns:

  1. What kind of damage could a hostile user with viewer privleges do?
    • Could they take control of InfluxDB with some easy SQL injection?
  2. Disregaring question #1, how robust is Grafana against attacks? Could a random (unauthorized) user steal my admin credentials (without brute-forcing them)?

I am using HTTPS to protect the user sessions by the way.

As I have multiple demonstrators with multiple devices, it would make my life easier to expose Grafana over the open internet.
What would I be risking by exposing this on the internet?

1 Like

FYI: try to search your topic on the forum and you will get more details:
https://localhost:3000/search?context=topic&context_id=24099&q=grafana%20sql%20injection&skip_context=true